Internet Protocol Over The Air (IOTA), Wireless Application Protocol (WAP) provisioning, and PUSH specifications are wireless communication protocols that enable network operators to program and push content to cellular telephone handsets over the air using a WAP enabled browser. The IOTA provisioning protocol has been implemented by Code Division Multiple Access (CDMA) wireless network operators, and the WAP provisioning protocol has been implemented by Global System for Mobile Communications (GSM) communication network operators.
To initiate a WAP provisioning session, a Push Proxy Gateway (PPG) sends an Internet Protocol (IP) message, known as a Session Initiation Request (SIR) or a Hello Request, to the mobile station. An IOTA provisioning session is initiated similarly by sending a session request in the form of a modified Short Message Service (SMS) message, known as a bootstrap request, from an SMS Center (SMSC) to the mobile station.
In IOTA provisioning sessions, the SMS or bootstrap request contains information enabling the phone browser to fetch Mobile Management Command (MMC) documents from a specified address. MMC documents manage specific parameters in the mobile handset, for example, by instructing the handset to read and write phone parameters, to initiate A-key exchange, and to update a preferred roaming list (PRL), etc.
Bootstrap request messages are relatively easy to generate and/or modify. If a phone number and its ESN are known, an unauthorized bootstrap message may be generated and sent to the phone with deceitful instructions to fetch a counterfeit MMC document, which may be used to manipulate the phone, for example by instructing it to perform some action that would provide unauthorized service to a hacker.
It has been proposed to protect against spoofing and other unauthorized communications by comparing source addresses from which session initiation requests originate with a list of known valid or trusted contacts stored on the wireless handset. Under the proposal, however, the list of trusted contacts stored in the wireless handset is static and does not provide for ready address changes and/or the removal and addition of new trusted contacts.
The various aspects, features and advantages of the present disclosure will become more fully apparent to those having ordinary skill in the art upon careful consideration of the following Detailed Description thereof with the accompanying drawings described below.